Network Operations (4)

Question 1

Which of the following processes scans multiple computers on a network for a particular open TCP or UDP port?

Port scanning

War driving

Port sweeping

Answer 1

Port sweeping

Port scanning identifies open ports on a single computer, whereas port sweeping scans multiple computers for a single open port. War driving and bluejacking are methods of attacking wireless networks

Question 2

Which of the following statements best explains the difference between a protocol analyzer and a sniffer?

Analyzers examine the contents of packets, whereas sniffers analyze traffic trends.

Analyzers are software products, whereas sniffers are hardware products.

Analyzers connect to wired networks, whereas sniffers analyze wireless traffic.

Answer 2

Analyzers examine the contents of packets, whereas sniffers analyze traffic trends.

The difference between analyzers and sniffers is that analyzers read the internal contents of the packets they capture, parse the individual data units, and display information about each of the protocols involved in the creation of the packet. Sniffers look for trends and patterns in the network traffic without examining the contents of each packet. Both analyzers and sniffers can be implemented as hardware or software. Analyzers and sniffers are available for wired and wireless networks

Question 3

After starting work as the network administrator of Wingtip Toys, you discover that all of the switches in the company’s datacenter have support for remote management, with built-in SNMP agents in each port. Which of the following tasks must you perform to be able to gather information from the agents on those switches and display it on a central console? (Choose all correct answers.)

Install the network management software on a network computer.

Install a management information base (MIB) on each of the switches.

Install an agent on the console computer.

Install an MIB on the console computer.

Purchase a network management product.

Answer 3

Install the network management software on a network computer.

Purchase a network management product.

An SNMP-based network management system consists of three components: a management console software product installed on a network computer, agents installed on the devices you want to manage, and MIBs for each of the agents. Because the switches support SNMP management and already have agents, they have MIBs also. Therefore, all you have to do is purchase the network management software and install the console on a network computer

Question 4

Which of the following software releases is a fix designed to address one specific issue?

A patch

An update

An upgrade

Answer 4

A patch

A patch is a relatively small update that is designed to address a specific issue, often a security exploit or vulnerability. Patches do not add features or new capabilities; they are fixes targeted at a specific area of the operating system. Updates, upgrades, and service packs are larger packages that might include new features and/or many different fixes

Question 5

Which of the following statements about protocol analyzers is not true?

Protocol analyzers can be a network security risk.

Some network monitoring products are both analyzers and sniffers.

All Windows operating systems include a protocol analyzer.

Answer 5

All Windows operating systems include a protocol analyzer.

A protocol analyzer captures frames and displays their contents, including the header fields created by the protocols at the various OSI model layers. To interpret the exchanges between the computers on the network, you must be familiar with the protocols and how they operate. Protocol analyzers are useful tools in the hands of experienced network administrators, but they can also be used for malicious purposes, such as displaying unencrypted passwords and other confidential information in the captured packets. The difference between analyzers and sniffers is that analyzers read the internal contents of the packets they capture, parse the individual data units, and display information about each of the protocols involved in the creation of the packet. Sniffers look for trends and patterns in the network traffic without examining the contents of each packet.

Question 6

Which versions of the Simple Network Management Protocol do not include any security protection other than a clear text community string? (Choose all correct answers.)

SNMPv1

SNMPv2

SNMPv2c

SNMPv3

Answer 6

SNMPv1

SNMPv2c

SNMP version 1, the original version, used an unencrypted community string. SNMPv2 added better security, but it was not backward compatible with the version 1 community string. A revised version, SNMP2c, added backward compatibility. SNMPv3, the one most often seen today, includes more advanced security and does not use a community string

Question 7

Which of the following types of patches is most typically applied to a hardware device?

Firmware updates

Driver updates

Feature changes

Answer 7

Firmware updates

Firmware is a type of software permanently written to the memory built into a hardware device. A firmware overrides the read-only nature of this memory to update the software. Driver updates, feature updates, and vulnerability patches are typically applied to software products, such as applications and operating systems

Question 8

When can Microsoft Windows users expect to receive automatic downloads of operating system patches?

Weekly, on Mondays

Monthly, on the second Tuesday of the month

Quarterly, on the first day of January, April, July, and October

Answer 8

Monthly, on the second Tuesday of the month

For Windows users, the second Tuesday of every month is “Patch Tuesday,” when Microsoft releases the latest operating system patches for automatic download

Question 9

Unlike individual users, who usually have their operating system patches downloaded and installed automatically, corporate IT departments typically evaluate new patches before deploying them. Which of the following is not a common step in this evaluation process?

Testing

Researching

Rolling back

Answer 9

Rolling back

Rolling back, the process of uninstalling a patch to revert to the previous version of the software, is not part of the patch evaluation process. The evaluation process for new patches in a corporate environment usually consists of a research stage, in which you examine the need and purpose for the patch, a testing stage, in which you install the patch on a lab machine, and a backup of the production systems to which you will apply the patch

Question 10

Which of the following types of patches is most likely to be released outside of the normal schedule for the product?

Vulnerability patch

Feature change

Driver update

Answer 10

Vulnerability patch

Vulnerability patches are usually updates that address severe issues that have been recently discovered. When the vulnerability is severe, the software manufacturer might release a patch as soon as it is available, rather than wait for the next scheduled release. Feature changes, driver updates, and firmware updates are usually not time sensitive and are released on schedule

Question 11

Which of the following types of patches are IT personnel least likely to install unless there is a specific reason to do so?

Feature change

Driver update

Operating system update

Answer 11

Driver update

If a device driver is functioning properly, many administrators would prefer not to update it, believing that “if it ain’t broke, don’t fix it.” Unless a device driver update addresses a specific bug or an incompatibility that the system is experiencing, there might be no need to install it. Feature changes, operating system updates, and especially vulnerability patches are more likely to be recommended installs

Question 12

Which of the following statements about the Simple Network Management Protocol (SNMP) are not true? (Choose all correct answers.)

To effectively monitor a network using SNMP, you must be sure that all of the equipment you purchase when designing and building your network supports the protocol.

SNMP is not only the name of a protocol; it is also the name of a network management product.

SNMPv1 and SNMPv2 rely on a community string as their only means of security.

Most of the network management products on the market today support SNMPv3.

Answer 12

SNMP is not only the name of a protocol; it is also the name of a network management product.

SNMPv1 and SNMPv2 rely on a community string as their only means of security.

SNMP is not the name of a network management product; it is just the name of the protocol that provides a framework for the interaction of the various components in a network management product. SNMPv1 uses a community string, but SNMPv2 does not. The interim version SNMPv2c retains the community string from version 1 in place of the new version 2 security system. When you see a network interface adapter, switch, router, access point, or other device that purports to be managed or that claims to have network management capabilities, this usually means that the device includes an SNMP agent. Most of today’s network management products do support SNMPv3. In addition, many network management products that implement SNMPv3 also include support for the earlier, unprotected versions, such as SNMPv1 and SNMPv2c

Question 13

Which of the following terms refers to the process of uninstalling a recently released patch to resume using the previous version?

Downgrade

Reset

Rollback

Answer 13

Rollback

Rollback is a term used in change management to describe the process of reversing a change that has been made, to restore the original configuration. In the case of patch management, a rollback is the process of uninstalling a recently installed software update. The terms backslide, downgrade, and reset are not used to describe this procedure

Question 14

Which of the following was created to provide logging services for the Unix sendmail program?

syslog

netstat

SNMP

Answer 14

syslog

Syslog is a standard designed to facilitate the transmission of log entries generated by a device or process, such as the sendmail SMTP server, across an IP network to a message collector, called a syslog server. Netstat is a program that displays status information about a system’s network connections; it does not provide logging services. SNMP is a protocol that carries network management information from agents to a central console; it was not created specifically for sendmail. The Cache Array Routing Protocol (CARP) enables proxy servers to exchange information; it does not provide logging services

Question 15

After switching from a standard PSTN telephone system to a Voice over IP system, users are complaining of service interruptions and problems hearing callers at certain times of the day. After examining the network traffic, you determine that traffic levels on the Internet connection are substantially higher during the first and last hours of the day, the same times when most of the users experienced their problems. Which of the following solutions can provide more reliable VoIP service during peak usage times?

Implement traffic shaping.

Implement load balancing.

Upgrade the LAN from Fast Ethernet to Gigabit Ethernet.

Answer 15

Implement traffic shaping.

Traffic shaping is a technique for prioritizing packets by buffering packets that are not time sensitive for later transmission. You can use this technique to give VoIP packets priority over other types of traffic. Load balancing can conceivably improve the performance of a server, but it cannot help to relieve traffic congestion on the Internet link. The traffic congestion is on the Internet connection, not the LAN, so upgrading to Gigabit Ethernet will not help. SNMP is a protocol used by network management products; it will not relieve the traffic congestion problem

Question 16

You are the network administrator of your company’s network. Your company wants to perform baseline analysis of network-related traffic and statistics. They want to track broadcasts, cyclical redundancy check (CRC) errors, and collisions for all traffic traversing a switched network. In addition, they want to provide historical and daily reports for management. They also want to keep track of software distribution and metering. What type of network software product best meets these needs?

Simple Network Management Protocol (SNMP) management

Protocol analyzer

Performance Monitor

Answer 16

Simple Network Management Protocol (SNMP) management

The best solution is to implement SNMP. This includes a management console, agents, and management information bases (MIBs). SNMP allows you to track statistical network information (historical and current) and produce reports for baseline analysis and troubleshooting. Some SNMP products also allow you to track software distribution and metering. Protocol analyzers are best used for troubleshooting problems in real time and are not used for software distribution and metering. Performance Monitor is a tool that allows you to track performance statistics for one system at a time and does not include software distribution and metering. There is no such product as a network traffic monitor

Question 17

You have finished capturing traffic with a protocol analyzer. The analyzer reports that 2000 frames have been seen, but only 1500 frames have been accepted. What does this mean?

2000 frames have passed the display filter, but only 1500 meet the criteria for display.

Only 1500 frames have passed the capture filter and are currently being held in the buffer.

You lost 500 frames and need to start over—something is obviously wrong.

Answer 17

Only 1500 frames have passed the capture filter and are currently being held in the buffer.

Protocol analyzers report the total number of frames seen compared to the number of frames that were accepted. If a capture filter has been configured, there will be a discrepancy between these two values. Only frames that meet the capture criteria will be accepted by the analyzer and placed in the buffer for later display. Protocol analyzers place good and bad frames into the buffer as long as they meet the capture criteria. If only good frames were placed in the buffer, there would be no way to identify problems

Question 18

Which of the following is the database used by the Simple Network Management Protocol (SNMP) to referenced information gathered from agents distributed about the network?

Trap

Syslog

MIB

Answer 18

MIB

A management information base (MIB) is the database on an SNMP console where all of the counters and associated object identifiers (OIDs) are referenced. A trap is an alert message that SNMP agents send to the network management console. Syslog is a standard for message logging components. Security information and event management (SIEM) is a combination tool that uses information gathered from logs and network devices to provide a real-time analysis of the network’s security condition

Question 19

You are attempting to troubleshoot a problem between two hosts on the same network. You are using a protocol analyzer and start a new capture. After you finish the capture, you notice there are over 15,000 frames in the buffer. You are having a hard time identifying the frames that relate to the problem because so many frames are in the buffer. You want to eliminate the extraneous frames from your view, allowing you to view only frames from these two hosts. What do you need to do?

Configure a display filter.

Configure a capture filter.

Delete the extraneous frames from the buffer.

Answer 19

Configure a display filter.

Once the frames are in the buffer, you can configure a display filter to block the unwanted frames from view. This doesn’t delete them from the buffer. Since the capture was already performed, there is no need to restart the capture. Also, configuring a capture filter will not meet the requirements, since the filter will eliminate the other frames completely from the buffer. You can’t delete frames from an analyzer buffer

Question 20

Which of the following utilities can be classified as port scanners? (Choose all correct answers.)

Nmap

Nessus

Network Monitor

Performance Monitor

Answer 20

Nmap

Nessus

Nmap is command-line utility that scans a range of IP addresses, runs a series of scripts against each device it finds, and displays a list of the open ports it finds on each one. Nessus is similar to Nmap in that it also scans a range of IP addresses to find open ports, but it then proceeds to mount attacks against those ports, to ascertain their vulnerability. Network Monitor is a protocol analyzer or packet sniffer, which is a program that captures network traffic samples and analyzes them. It is not a port scanner. Performance Monitor is a program that displays statistics for specific system and network performance criteria. It is not a port scanner

Question 21

When you run a port scanner on a server, which of the following is the result?

A list of processes running on the system

A list of open ports through which the system can be accessed

A list of protocols used by the system for network communication

Answer 21

A list of open ports through which the system can be accessed

A port scanner examines a system for open endpoints, accessible using the TCP or UDP protocols, which intruders can conceivably use to gain access to the system from the network

Question 22

A port scanner examines a system for network vulnerabilities at which layer of the Open Systems Interconnection (OSI) model?

Application

Transport

Network

Answer 22

Transport

A port is a numbered service endpoint identifying an application running on a TCP/IP system. A port scanner examines a system for open endpoints, accessible using the TCP or UDP protocols at the transport layer, which intruders can conceivably use to gain access to the system from the network

Question 23

Which of the following technologies provides both real-time monitoring of security events and automated analysis of the event information gathered?

SIEM

SNMP

SEM

Answer 23

SIEM
Security Information and Event Management (SIEM) is a product that combines two technologies: security event management (SEM) and security information management (SIM). Together, the two provide a combined solution for gathering and analyzing information about a network’s security events. Simple Network Management Protocol (SNMP) is a technology that gathers information about managed devices

Question 24

Which of the following best describes the primary function of a port scanner?

A port scanner examines a computer’ hardware and compiles a list of the physical ports in the system.

A port scanner examines a computer for TCP and UDP endpoints that are accessible from the network.

A port scanner examines a specified range of IP addresses on a network to determine whether they are in use.

Answer 24

A port scanner examines a computer for TCP and UDP endpoints that are accessible from the network.

The ports that a port scanner examines are the system endpoints identified by port numbers in TCP and UDP protocol headers. An open port provides network access to an application running on the computer, which can conceivably exploited by an intruder

Question 25

Which of the following statements about web server logs is not true?

Web server logs are typically maintained as text files.

Web server logs record the IP addresses of all visiting users.

To interpret web server logs, you use a protocol analyzer.

Answer 25

To interpret web server logs, you use a protocol analyzer.

A protocol analyzer provides information about network traffic; it does not interpret web server logs. Most web servers maintain logs that track the IP addresses and other information about all hits and visits. The logs are stored as text files and contain a great deal of information, but in their raw form, they are difficult to interpret. Therefore, it is common practice to use a traffic analysis application that reads the log files and displays their contents in a more user-friendly form, such as tables and graphs